show facility-alarm through show ipsec stats Commands

show facility-alarm

To display the triggered alarms in an ISA 3000 device, use the show facility-alarm command in user EXEC mode.

show facility-alarm { relay | status [ info | major | minor ]}

Syntax Description

relay

Displays the alarms that have energized the alarm output relay.

status [ info | major | minor ]

Displays all the alarms that have been triggered. You can add the following keywords to limit the list:

major —Displays all the major severity alarms.

minor —Displays all the minor severity alarms.

info —Displays all the alarms. This keyword provides the same output as using no keyword.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

Yes

Yes

Yes

—

—

Command History

Release

Modification

9.7(1)

We introduced this command.

Usage Guidelines

Use the relay keyword to view just the alarms that have energized the alarm output relay. The output alarm relay is energized based on whether you configure the triggered alarms to activate it. Energizing the alarm output relay activates the device that you attach to it, such as a flashing light or buzzer.

Use the status keyword to view all the alarms that have been triggered, regardless of whether the alarm action triggered the external alarm output relay.

The following table explains the columns in the output.

Column

Description

Source

The device from which the alarm was triggered. This is usually the hostname configured on the device.

Severity

Major or minor.

Description

The type of alarm triggered. For example, temperature, external alarm contact, or redundant power supply.

Relay

Whether the external alarm output relay was energized or de-energized. The external output alarm is triggered based on your alarm configuration.

Time

The timestamp of the triggered alarm.

Examples

The following is a sample output from the show facility-alarm relay command:

Syntax Description

Displays failover history. The failover history displays past failover state changes and the reason for the state change for the active unit.

The failover history includes the failure reason along with its specific details; this helps with troubleshooting.

Add the details keyword to display failover history from the peer unit. This includes failover state changes and the reason for the state change, for the peer unit.

History information is cleared with the device is rebooted.

interface

Displays failover and stateful link information.

num

Failover group number.

state

Displays the failover state of both failover units. The information displayed includes the primary or secondary status of the unit, the Active/Standby status of the unit, and the last reported reason for failover. The fail reason remains in the output even when the reason for failure is cleared.

Defaults

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

7.0(1)

This command was modified. The output includes additional information.

8.2(2)

This command was modified. The output includes IPv6 addresses for firewall and failover interfaces. The Stateful Failover statistics output includes information for the IPv6 neighbor discover table (IPv6 ND tbl) updates.

9.9.2

This command was modified. The failover history output includes enhancements to the failure reasons. The history details keyword was added. This displays failover history from the peer unit.

Usage Guidelines

If both IPv4 and IPv6 addresses are configured on an interface, both addresses appear in the output. Because an interface can have more than one IPv6 address configured on it, only the link-local address is displayed. If there is no IPv4 address configured on the interface, the IPv4 address in the output appears as 0.0.0.0. If there is no IPv6 address configured on an interface, the address is simply omitted from the output.

The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The “xerr” and “rerr” values do not indicate errors in failover, but rather the number of packet transmit or receive errors.

Note Stateful Failover, and therefore Stateful Failover statistics output, is not available on the ASA 5505.

In the show failover command output, the stateful failover fields have the following values:

Stateful Obj has these values:

– xmit—Indicates the number of packets transmitted.

– xerr—Indicates the number of transmit errors.

– rcv—Indicates the number of packets received.

– rerr—Indicates the number of receive errors.

Each row is for a particular object static count as follows:

– General—Indicates the sum of all stateful objects.

– sys cmd—Refers to the logical update system commands, such as login or stay alive.

– up time—Indicates the value for the ASA up time, which the active ASA passes on to the standby ASA.

– RPC services—Remote Procedure Call connection information.

– TCP conn—Dynamic TCP connection information.

– UDP conn—Dynamic UDP connection information.

– ARP tbl—Dynamic ARP table information.

– Xlate_Timeout—Indicates connection translation timeout information.

– IPv6 ND tbl—The IPv6 neighbor discovery table information.

– VPN IKE upd—IKE connection information.

– VPN IPSEC upd—IPsec connection information.

– VPN CTCP upd—cTCP tunnel connection information.

– VPN SDI upd—SDI AAA connection information.

– VPN DHCP upd—Tunneled DHCP connection information.

– SIP Session—SIP signalling session information.

– Route Session—LU statistics of the route synhronization updates

If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address, and monitoring of the interfaces remain in a “waiting” state. You must set a failover IP address for failover to work.

The interface is up and receiving hello packets from the corresponding interface on the peer unit.

Normal (Waiting)

The interface is up but has not yet received a hello packet from the corresponding interface on the peer unit. Verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.

Normal (Not-Monitored)

The interface is up but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover.

No Link

The physical link is down.

No Link (Waiting)

The physical link is down and the interface has not yet received a hello packet from the corresponding interface on the peer unit. After restoring the link, verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.

No Link (Not-Monitored)

The physical link is down but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover.

Link Down

The physical link is up, but the interface is administratively down.

Link Down (Waiting)

The physical link is up, but the interface is administratively down and the interface has not yet received a hello packet from the corresponding interface on the peer unit. After bringing the interface up (using the no shutdown command in interface configuration mode), verify that a standby IP address has been configured for the interface and that there is connectivity between the two interfaces.

Link Down (Not-Monitored)

The physical link is up, but the interface is administratively down but is not monitored by the failover process. The failure of an interface that is not monitored does not trigger failover.

Testing

The interface is in testing mode due to missed hello packets from the corresponding interface on the peer unit.

Failed

Interface testing has failed and the interface is marked as failed. If the interface failure causes the failover criteria to be met, then the interface failure causes a failover to the secondary unit or failover group.

In multiple context mode, only the show failover command is available in a security context; you cannot enter the optional keywords.

Examples

The following is sample output from the show failover command for Active/Standby Failover. The ASAs use IPv6 addresses on the failover link (folink) and the inside interface.

Config Syncing - STANDBY —Set while the synchronized configuration is being executed.

Interface Config Syncing - STANDBY

Sync Done - STANDBY —Set when the standby unit has completed a configuration synchronization from the active unit.

The following are possible configuration states for the active unit:

Config Syncing —Set on the active unit when it is performing a configuration synchronization to the standby unit.

Interface Config Syncing

Sync Done —Set when the active unit has completed a successful configuration synchronization to the standby unit.

Ready for Config Sync —Set on the active unit when the standby unit signals that it is ready to receive a configuration synchronization.

Communication State

Displays the status of the MAC address synchronization.

Mac set —The MAC addresses have been synchronized from the peer unit to this unit.

Updated Mac —Used when a MAC address is updated and needs to be synchronized to the other unit. Also used during the transition period where the unit is updating the local MAC addresses synchronized from the peer unit.

Date/Time

Displays a date and timestamp for the failure.

Last Failure Reason

Displays the reason for the last reported failure. This information is not cleared, even if the failure condition is cleared. This information changes only when a failover occurs.

The following are possible fail reasons:

Interface Failure —The number of interfaces that failed met the failover criteria and caused failover.

Comm Failure —The failover link failed or peer is down.

Backplane Failure

State

Displays the Primary/Secondary and Active/Standby status for the unit.

This host/Other host

This host indicates information for the device upon which the command was executed. Other host indicates information for the other device in the failover pair.

The following is sample output from the show failover history command:

Each entry provides the time and date the state change occurred, the beginning state, the resulting state, and the reason for the state change. The newest entries are located at the bottom of the display. Older entries appear at the top. A maximum of 60 entries can be displayed. Once the maximum number of entries has been reached, the oldest entries are removed from the top of the output as new entries are added to the bottom.

The failure reasons include details that help in troubleshooting. These include interface check, failover state check, state progression failure and service module failure.

The following is sample output from the show failover history details command:

The show failover history details command requests the peer's failover history and prints the unit failover history along with the peer's latest failover history. If the peer does not respond within one second it displays the last collected failover history information.

Table 7-3 shows the failover states. There are two types of states—stable and transient. Stable states are states that the unit can remain in until some occurrence, such as a failure, causes a state change. A transient state is a state that the unit passes through while reaching a stable state.

Table 7-3 Failover States

States

Description

Disabled

Failover is disabled. This is a stable state.

Failed

The unit is in the failed state. This is a stable state.

Negotiation

The unit establishes the connection with peer and negotiates with peer to determine software version compatibility and Active/Standby role. Depending upon the role that is negotiated, the unit will go through the Standby Unit States or the Active Unit States or enter the failed state. This is a transient state.

Not Detected

The ASA cannot detect the presence of a peer. This can happen when the ASA boots up with failover enabled but the peer is not present or is powered down.

Standby Unit States

Cold Standby

The unit waits for the peer to reach the Active state. When the peer unit reaches the Active state, this unit progresses to the Standby Config state. This is a transient state.

Sync Config

The unit requests the running configuration from the peer unit. If an error occurs during the configuration synchronization, the unit returns to the Initialization state. This is a transient state.

Sync File System

The unit synchronizes the file system with the peer unit. This is a transient state.

Bulk Sync

The unit receives state information from the peer. This state only occurs when Stateful Failover is enabled. This is a transient state.

Standby Ready

The unit is ready to take over if the active unit fails. This is a stable state.

Active Unit States

Just Active

The first state the unit enters when becoming the active unit. During this state a message is sent to the peer alerting the peer that the unit is becoming active and the IP and MAC addresses are set for the interfaces. This is a transient state.

Active Drain

Queues messages from the peer are discarded. This is a transient state.

Active Applying Config

The unit is applying the system configuration. This is a transient state.

Active Config Applied

The unit has finished applying the system configuration. This is a transient state.

Active

The unit is active and processing traffic. This is a stable state.

Each state change is followed by a reason for the state change. The reason typically remains the same as the unit progresses through the transient states to the stable state. The following are the possible state change reasons:

No Error

Set by the CI config cmd

Failover state check

Failover interface become OK

HELLO not heard from mate

Other unit has different software version

Other unit operating mode is different

Other unit license is different

Other unit chassis configuration is different

Other unit card configuration is different

Other unit want me Active

Other unit want me Standby

Other unit reports that I am failed

Other unit reports that it is failed

Configuration mismatch

Detected an Active mate

No Active unit found

Configuration synchronization done

Recovered from communication failure

Other unit has different set of vlans configured

Unable to verify vlan configuration

Incomplete configuration synchronization

Configuration synchronization failed

Interface check

My communication failed

ACK not received for failover message

Other unit got stuck in learn state after sync

No power detected from peer

No failover cable

HA state progression failed

Detect service card failure

Service card in other unit has failed

My service card is as good as peer

LAN Interface become un-configured

Peer unit just reloaded

Switch from Serial Cable to LAN-Based fover

Unable to verify state of config sync

Auto-update request

Unknown reason

The following is sample output from the show failover interface command. The device has an IPv6 address configured on the failover interface.

Related Commands

show failover exec

To display the failover exec command mode for the specified unit, use the show failover exec command in privileged EXEC mode.

show failover exec { active | standby | mate }

Syntax Description

active

Displays the failover exec command mode for the active unit.

mate

Displays the failover exec command mode for the peer unit.

standby

Displays the failover exec command mode for the standby unit.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

The failover exec command creates a session with the specified device. By default, that session is in global configuration mode. You can change the command mode of that session by sending the appropriate command (such as the interface command) using the failover exec command. Changing failover exec command modes for the specified device does not change the command mode for the session you are using to access the device. Changing commands modes for your current session to the device does not affect the command mode used by the failover exec command.

The show failover exec command displays the command mode on the specified device in which commands sent with the failover exec command are executed.

Examples

The following is sample output from the show failover exec command. This example demonstrates that the command mode for the unit where the failover exec commands are being entered does not have to be the same as the failover exec command mode where the commands are being executed.

In this example, an administrator logged into the standby unit adds a name to an interface on the active unit. The second time the show failover exec mate command is entered in this example shows the peer device in interface configuration mode. Commands sent to the device with the failover exec command are executed in that mode.

ciscoasa(config)# show failover exec mateActive unit Failover EXEC is at config mode! The following command changes the standby unit failover exec mode ! to interface configuration mode.ciscoasa(config)# failover exec mate interface GigabitEthernet0/1ciscoasa(config)# show failover exec mateActive unit Failover EXEC is at interface sub-command mode! Because the following command is sent to the active unit, it is replicated ! back to the standby unit.ciscoasa(config)# failover exec mate nameif test

Related Commands

Command

Description

failover exec

Executes the supplied command on the designated unit in a failover pair.

show file

To display information about the file system, use the show file command in privileged EXEC mode.

Command Default

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.2(1)

The capability to view information about partner application package files was added.

9.7(1)

The show file descriptor command was updated to print the output, only from the open file descriptor in the system context mode.

Usage Guidelines

The show file descriptors command when used in System context in Multi context mode, it traverses through all the contexts and displays details of file descriptors if they are opened. If a context has an open file descriptor, only the details of that specific context is displayed, when the CLI is executed in the System context. The system does not print all the names of the context with “no file descriptors”. Only the context with open file descriptor is displayed.

Syntax Description

Shows basic information about the offload engine. Add the detail keyword to get additional information such as a summary of port usage.

cpu

Shows the load percentage on offload cores.

flow [ count | detail ]

Shows information on the active off-loaded flows. You can optionally add the following keywords:

count —Shows the number of off-loaded active flows and offloaded flows created.

detail —Shows the active off-loaded flows and their rewrite rules and data.

statistics

Shows the packet statistics of off-loaded flows.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

—

Command History

Release

Modification

9.5(2)

This command was introduced.

Usage Guidelines

If you enable flow off-loading, use this command to view information about the service and the off-loaded flows.

Examples

The following is sample output from the show flow-offload statistics command. The output shows counts for transmitted (Tx), received (Rx) and dropped packets, and statistics for the virtual NIC (VNIC) used.

Size: The maximum number of fragments that can be in the IP reassembly database waiting for reassembly. The default is 200. Note : The database is per-interface.

Chain: The maximum number of fragments into which a full IP packet can be fragmented. The default is 24.

Timeout: The maximum number of seconds to wait for an entire fragmented packet to arrive. The default is 5 seconds.

Reassembly: virtual or full. The default is virtual reassembly. IP fragments that terminate at the ASA or require inspection at the application level are fully (physically) reassembled. The packet that was fully (physically) reassembled can be fragmented again on the egress interface, if necessary.

Queue: Number of fragments in the reassembly database currently awaiting reassembly. Note: The ASA does not accept any new fragments that are not part of an existing fragment chain after the reassembly database size reaches 2/3 of the configured maximum reassembly database size. Syslog message is not generated in this case, when excessive fragments are dropped.

Assembled: Number of IP packets (not fragments) fully reassembled. This counter is not incremented if virtual reassembly is applied to the packet.

Fail: Number of IP packets (not fragments) that failed reassembly. For example, this counter is incremented when incoming packet was fragmented into more than "chain" fragments. In this case syslog message 209005 is produced (rate-limited to 1 message per 10 seconds by default).

Overflow: Number of fragments that overflowed the reassembly database. Such fragments are dropped. If the reassembly database reaches its maximum size and new fragment arrives, the syslog message 209003 is produced (rate-limited to 1 message per 10 seconds by default).

Related Commands

Command

Description

clear configure fragment

Clears the IP fragment reassembly configuration and resets the defaults.

Related Commands

show h225

To display information for H.225 sessions established across the ASA, use the show h225 command in privileged EXEC mode.

show h225

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The show h225 command displays information for H.225 sessions established across the ASA.

Before using the show h225, show h245, or show h323 ras commands, we recommend that you configure the pager command. If there are a lot of session records and the pager command is not configured, it may take a while for the show output to reach its end.

If there is an abnormally large number of connections, check that the sessions are timing out based on the default timeout values or the values set by you. If they are not, then there is a problem that needs to be investigated.

This output indicates that there is currently 1 active H.323 call going through the ASA between the local endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is 1 concurrent call between them, with a CRV (Call Reference Value) for that call of 9861.

For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are 0 concurrent Calls. This means that there is no active call between the endpoints even though the H.225 session still exists. This could happen if, at the time of the show h225 command, the call has already ended but the H.225 session has not yet been deleted. Alternately, it could mean that the two endpoints still have a TCP connection opened between them because they set “maintainConnection” to TRUE, so the session is kept open until they set it to FALSE again, or until the session times out based on the H.225 timeout value in your configuration.

Related Commands

Commands

Description

inspect h323

Enables H.323 application inspection.

show h245

Displays information for H.245 sessions established across the ASA by endpoints using slow start.

show h323 ras

Displays information for H.323 RAS sessions established across the ASA.

timeout h225 | h323

Configures idle time after which an H.225 signaling connection or an H.323 control connection will be closed.

show h245

To display information for H.245 sessions established across the ASA by endpoints using slow start, use the show h245 command in privileged EXEC mode.

show h245

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The show h245 command displays information for H.245 sessions established across the ASA by endpoints using slow start. (Slow start is when the two endpoints of a call open another TCP control channel for H.245. Fast start is where the H.245 messages are exchanged as part of the H.225 messages on the H.225 control channel.)

There is currently one H.245 control session active across the ASA. The local endpoint is 10.130.56.3, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. (The TKTP header is a 4-byte header preceding each H.225/H.245 message. It gives the length of the message, including the 4-byte header.) The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0.

The media negotiated between these endpoints have a LCN (logical channel number) of 258 with the foreign RTP IP address/port pair of 172.30.254.203/49608 and a RTCP IP address/port of 172.30.254.203/49609 with a local RTP IP address/port pair of 10.130.56.3/49608 and a RTCP port of 49609.

The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and a RTCP IP address/port pair of 172.30.254.203/49607 with a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607.

Related Commands

Commands

Description

inspect h323

Enables H.323 application inspection.

show h245

Displays information for H.245 sessions established across the ASA by endpoints using slow start.

show h323 ras

Displays information for H.323 RAS sessions established across the ASA.

timeout h225 | h323

Configures idle time after which an H.225 signaling connection or an H.323 control connection will be closed.

show h323

To display information for H.323 connections, use the show h323 command in privileged EXEC mode.

show h323 { ras | gup }

Syntax Description

ras

Displays the H323 RAS sessions established across the ASA between a gatekeeper and its H.323 endpoint.

Related Commands

show history

To display the previously entered commands, use the show history command in user EXEC mode.

show history

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

User EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The show history command lets you display previously entered commands. You can examine commands individually with the up and down arrows, enter ^p to display previously entered lines, or enter ^n to display the next line.

Examples

The following example shows sample output from the show history command in user EXEC mode:

ciscoasa> show historyshow historyhelpshow history

The following example shows sample output from the show history command in privileged EXEC mode:

ciscoasa# show historyshow historyhelpshow historyenableshow history

The following example shows sample output from the show history command in global configuration mode:

Related Commands

show igmp interface

To display multicast information for an interface, use the show igmp interface command in privileged EXEC mode.

show igmp interface [ if_name ]

Syntax Description

if_name

(Optional) Displays IGMP group information for the selected interface.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

—

Yes

—

—

Command History

Release

Modification

7.0(1)

This command was modified. The detail keyword was removed.

Usage Guidelines

If you omit the optional if_name argument, the show igmp interface command displays information about all interfaces.

Examples

The following is sample output from the show igmp interface command:

ciscoasa# show igmp interface insideinside is up, line protocol is up Internet address is 192.168.37.6, subnet mask is 255.255.255.0 IGMP is enabled on interface IGMP query interval is 60 seconds Inbound IGMP access group is not set Multicast routing is enabled on interface Multicast TTL threshold is 0 Multicast designated router (DR) is 192.168.37.33 No multicast groups joined

Related Commands

Command

Description

show igmp groups

Displays the multicast groups with receivers that are directly connected to the ASA and that were learned through IGMP.

show igmp traffic

To display IGMP traffic statistics, use the show igmp traffic command in privileged EXEC mode.

show igmp traffic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Related Commands

Command

Description

clear igmp counters

Clears all IGMP statistic counters.

clear igmp traffic

Clears the IGMP traffic counters.

show import webvpn

To list the files, customization objects, translation tables, or plug-ins in flash memory that customize and localize the ASA or the AnyConnect Secure Mobility Client, use the show import webvpn command in privileged EXEC mode.

Displays translation tables in the ASA flash memory that translate the language of user messages displayed by the clientless portal, Secure Desktop, and plug-ins.

url-list

Displays URL lists in the ASA flash memory used by the clientless portal (filenames base64 decoded).

webcontent

Displays content in ASA flash memory used by the clientless portal, clientless applications, and plugins for online help visible to end users.

detailed

Displays the path in flash memory of the file(s) and the hash.

xml-output

Displays the XML of the file(s).

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC mode

Yes

—

Yes

—

—

Command History

Release

Modification

8.0(2)

This command was added.

8.2(1)

The AnyConnect-customization keyword was added.

Usage Guidelines

Use the show import webvpn command to identify the custom data and the Java-based client applications available to clientless SSL VPN users. The displayed list itemizes all of the requested data types that are in flash memory on the ASA.

Example

The following illustrates the WebVPN data displayed by various show import webvpn command:

Syntax Description

detail

(Optional) Shows detailed interface information, including the order in which the interface was added, the configured state, the actual state, and asymmetrical routing statistics, if enabled by the asr-group command. If you show all interfaces, then information about the internal interfaces for SSMs displays, if installed on the ASA 5500 series adaptive security appliance. The internal interface is not user-configurable, and the information is for debugging purposes only.

interface_name

(Optional) Identifies the interface name set with the nameif command.

mapped_name

(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

(Optional) Identifies the interface ID, such as gigabit ethernet 0/1. See the interface command for accepted values.

redundant number

(Optional) Identifies the redundant interface ID, such as redundant 1.

stats

(Default) Shows interface information and statistics. This keyword is the default, so this keyword is optional.

summary

(Optional) For a VNI interface, shows only the VNI interface parameters.

subinterface

(Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface.

vlan number

(Optional) For the ASA 5505 or ASASM, specifies the VLAN interface.

vni id

(Optional) Shows the parameters, status and statistics of a VNI interface, status of its bridged interface (if configured), and NVE interface it is associated with.

Defaults

If you do not identify any options, this command shows basic statistics for all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

7.0(1)

This command was modified to include the new interface numbering scheme, and to add the stats keyword for clarity, and the detail keyword.

7.0(4)

Support for the 4GE SSM interfaces was added.

7.2(1)

Support for switch interfaces was added.

8.0(2)

Support for redundant interfaces was added. Also, the delay is added for subinterfaces. Two new counters were added: input reset drops and output reset drops.

8.2(1)

The no buffer number was changed to show the number of failures from block allocations.

8.6(1)

Support for the ASA 5512-X through ASA 5555-X shared management interface and the control plane interface for the software module were added. The management interface is displayed using the show interface detail command as Internal-Data0/1; the control plane interface is displayed as Internal-Control0/0.

9.4(1)

The vni interface type was added.

9.5(1)

Clustering site-specific MAC addresses were added to the output.

9.10(1)

For the Firepower 2100/4100/9300, the output of the command is enhanced to indicate the supervisor association status of the interfaces.

Usage Guidelines

If an interface is shared among contexts, and you enter this command within a context, the ASA shows only statistics for the current context. When you enter this command in the system execution space for a physical interface, the ASA shows the combined statistics for all contexts.

The number of statistics shown for subinterfaces is a subset of the number of statistics shown for a physical interface.

You cannot use the interface name in the system execution space, because the nameif command is only available within a context. Similarly, if you mapped the interface ID to a mapped name using the allocate-interface command, you can only use the mapped name in a context. If you set the visible keyword in the allocate-interface command, the ASA shows the interface ID in the output of the show interface command.

Note The number of bytes transmitted or received in the Hardware count and the Traffic Statistics count are different.

In the hardware count, the amount is retrieved directly from hardware, and reflects the Layer 2 packet size. While in traffic statistics, it reflects the Layer 3 packet size.

The count difference is varied based upon the design of the interface card hardware.

For example, for a Fast Ethernet card, the Layer 2 count is 14 bytes greater than the traffic count, because it includes the Ethernet header. On the Gigabit Ethernet card, the Layer 2 count is 18 bytes greater than the traffic count, because it includes both the Ethernet header and the CRC.

The interface ID. Within a context, the ASA shows the mapped name (if configured), unless you set the allocate-interface command visible keyword.

“ interface_name ”

The interface name set with the nameif command. In the system execution space, this field is blank because you cannot set the name in the system. If you do not configure a name, the following message appears after the Hardware line:

Available but not configured via nameif

is state

The administrative state, as follows:

up—The interface is not shut down.

administratively down—The interface is shut down with the shutdown command.

Line protocol is state

The line status, as follows:

up—A working cable is plugged into the network interface.

down—Either the cable is incorrect or not plugged into the interface connector.

VLAN identifier

For subinterfaces, the VLAN ID.

Hardware

The interface type, maximum bandwidth, delay, duplex, and speed. When the link is down, the duplex and speed show the configured values. When the link is up, these fields show the configured values with the actual settings in parentheses. The following list describes the common hardware types:

(For 4GE SSM interfaces only) Shows if the interface is set as RJ-45 or SFP.

message area

A message might be displayed in some circumstances. See the following examples:

In the system execution space, you might see the following message:

Available for allocation to a context

If you do not configure a name, you see the following message:

Available but not configured via nameif

If an interface is a member of a redundant interface, you see the following message:

Active member of Redundant5

MAC address

The interface MAC address.

Site Specific MAC address

For clustering, shows an in-use site-specific MAC address.

MTU

The maximum size, in bytes, of packets allowed on this interface. If you do not set the interface name, this field shows “MTU not set.”

IP address

The interface IP address set using the ip address command or received from a DHCP server. In the system execution space, this field shows “IP address unassigned” because you cannot set the IP address in the system.

Subnet mask

The subnet mask for the IP address.

Packets input

The number of packets received on this interface.

Bytes

The number of bytes received on this interface.

No buffer

The number of failures from block allocations.

Received:

Broadcasts

The number of broadcasts received.

Input errors

The number of total input errors, including the types listed below. Other input-related errors can also cause the input error count to increase, and some datagrams might have more than one error; therefore, this sum might exceed the number of errors listed for the types below.

Runts

The number of packets that are discarded because they are smaller than the minimum packet size, which is 64 bytes. Runts are usually caused by collisions. They might also be caused by poor wiring and electrical interference.

Giants

The number of packets that are discarded because they exceed the maximum packet size. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant.

CRC

The number of Cyclical Redundancy Check errors. When a station sends a frame, it appends a CRC to the end of the frame. This CRC is generated from an algorithm based on the data in the frame. If the frame is altered between the source and destination, the ASA notes that the CRC does not match. A high number of CRCs is usually the result of collisions or a station transmitting bad data.

Frame

The number of frame errors. Bad frames include packets with an incorrect length or bad frame checksums. This error is usually the result of collisions or a malfunctioning Ethernet device.

Overrun

The number of times that the ASA was incapable of handing received data to a hardware buffer because the input rate exceeded the ASA capability to handle the data.

Ignored

This field is not used. The value is always 0.

Abort

This field is not used. The value is always 0.

L2 decode drops

The number of packets dropped because the name is not configured (nameif command) or a frame with an invalid VLAN id is received. On a standby interface in a redundant interface configuration, this counter may increase because this interface has no name (nameif command) configured.

Packets output

The number of packets sent on this interface.

Bytes

The number of bytes sent on this interface.

Underruns

The number of times that the transmitter ran faster than the ASA could handle.

Output Errors

The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.

Collisions

The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.

Interface resets

The number of times an interface has been reset. If an interface is unable to transmit for three seconds, the ASA resets the interface to restart transmission. During this interval, connection state is maintained. An interface reset can also happen when an interface is looped back or shut down.

Babbles

Unused. (“babble” means that the transmitter has been on the interface longer than the time taken to transmit the largest frame.)

Late collisions

The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait.

If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the ASA is partly finished sending the packet. The ASA does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.

Deferred

The number of frames that were deferred before transmission due to activity on the link.

input reset drops

Counts the number of packets dropped in the RX ring when a reset occurs.

output reset drops

Counts the number of packets dropped in the TX ring when a reset occurs.

Rate limit drops

(For 4GE SSM interfaces only) The number of packets dropped if you configured the interface at non-Gigabit speeds and attempted to transmit more than 10 Mbps or 100 Mbps, depending on configuration..

Lost carrier

The number of times the carrier signal was lost during transmission.

No carrier

Unused.

Input queue (curr/max packets):

The number of packets in the input queue, the current and the maximum.

Hardware

The number of packets in the hardware queue.

Software

The number of packets in the software queue. Not available for Gigabit Ethernet interfaces.

Output queue (curr/max packets):

The number of packets in the output queue, the current and the maximum.

Hardware

The number of packets in the hardware queue.

Software

The number of packets in the software queue.

input queue (blocks free curr/low)

The curr/low entry indicates the number of current and all-time-lowest available slots on the interface's Receive (input) descriptor ring. These are updated by the main CPU, so the all-time-lowest (until the interface statistics are cleared or the device is reloaded) watermarks are not highly accurate.

output queue (blocks free curr/low)

The curr/low entry indicates the number of current and all-time-lowest available slots on the interface's Transmit (output) descriptor rings. These are updated by the main CPU, so the all-time-lowest (until the interface statistics are cleared or the device is reloaded) watermarks are not highly accurate.

Traffic Statistics:

The number of packets received, transmitted, or dropped.

Packets input

The number of packets received and the number of bytes.

Packets output

The number of packets transmitted and the number of bytes.

Packets dropped

The number of packets dropped. Typically this counter increments for packets dropped on the accelerated security path (ASP), for example, if a packet is dropped due to an access list deny.

See the show asp drop command for reasons for potential drops on an interface.

1 minute input rate

The number of packets received in packets/sec and bytes/sec over the last minute.

1 minute output rate

The number of packets transmitted in packets/sec and bytes/sec over the last minute.

1 minute drop rate

The number of packets dropped in packets/sec over the last minute.

5 minute input rate

The number of packets received in packets/sec and bytes/sec over the last 5 minutes.

5 minute output rate

The number of packets transmitted in packets/sec and bytes/sec over the last 5 minutes.

5 minute drop rate

The number of packets dropped in packets/sec over the last 5 minutes.

Redundancy Information:

For redundant interfaces, shows the member physical interfaces. The active interface has “(Active)” after the interface ID.

If you have not yet assigned members, you see the following output:

Members unassigned

Last switchover

For redundant interfaces, shows the last time the active interface failed over to the standby interface.

The following is sample output from the show interface command on the ASA 5505, which includes switch ports:

Table 7-7 shows each field description for the show interface command for switch interfaces, such as those for the ASA 5505 adaptive security appliance. See Table 7-6 for fields that are also shown for the show interface command.

Table 7-6 show interface for Switch Interfaces Fields

Field

Description

switch ingress policy drops

This drop is usually seen when a port is not configured correctly. This drop is incremented when a packet cannot be successfully forwarded within switch ports as a result of the default or user configured switch port settings. The following configurations are the likely reasons for this drop:

The nameif command was not configured on the VLAN interface.

Note For interfaces in the same VLAN, even if the nameif command was not configured, switching within the VLAN is successful, and this counter does not increment.

The VLAN is shut down.

An access port received an 802.1Q-tagged packet.

A trunk port received a tag that is not allowed or an untagged packet.

The ASA is connected to another Cisco device that has Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback packets to ensure interface health. This packet is not intended to be received by any other device; the health is ensured just by being able to send the packet. These types of packets are dropped at the switch port, and the counter increments.

switch egress policy drops

Not currently in use.

The following is sample output from the show interface detail command. The following example shows detailed interface statistics for all interfaces, including the internal interfaces (if present for your platform) and asymmetrical routing statistics, if enabled by the asr-group command:

Table 7-7 shows each field description for the show interface detail command. See Table 7-7 for fields that are also shown for the show interface command.

Table 7-7 show interface detail Fields

Field

Description

Demux drops

(On Internal-Data interface only) The number of packets dropped because the ASA was unable to demultiplex packets from SSM interfaces. SSM interfaces communicate with the native interfaces across the backplane, and packets from all SSM interfaces are multiplexed on the backplane.

Control Point Interface States:

Interface number

A number used for debugging that indicates in what order this interface was created, starting with 0.

Interface config status

The administrative state, as follows:

active—The interface is not shut down.

not active—The interface is shut down with the shutdown command.

Interface state

The actual state of the interface. In most cases, this state matches the config status above. If you configure high availability, it is possible there can be a mismatch because the ASA brings the interfaces up or down as needed.

Asymmetrical Routing Statistics:

Received X1 packets

Number of ASR packets received on this interface.

Transmitted X2 packets

Number of ASR packets sent on this interfaces.

Dropped X3 packets

Number of ASR packets dropped on this interface. The packets might be dropped if the interface is down when trying to forward the packet.

The following is sample output from the show interface detail command on the ASA 5512-X through ASA 5555-X, which shows combined statistics for the Management 0/0 interface (shown as “Internal-Data0/1”) for both the ASA and the software module. The output also shows the Internal-Control0/0 interface, which is used for control traffic between the software module and the ASA.

The interface ID or, in multiple context mode, the mapped name if you configured it using the allocate-interface command. If you show all interfaces, then information about the internal interface for the AIP SSM displays, if installed on the ASA. The internal interface is not user-configurable, and the information is for debugging purposes only.

IP-Address

The interface IP address.

OK?

This column displays “unassociated” if the interface is not associated with supervisor; displays “YES” if the interface is associated with supervisor. This state is applicable only for Firepower 2100/4100/9300 interfaces and devices. For other devices, this column is not currently used, and always shows “Yes.”

Method

The method by which the interface received the IP address. Values include the following:

unset—No IP address configured.

manual—Configured the running configuration.

CONFIG—Loaded from the startup configuration.

DHCP—Received from a DHCP server.

Status

The administrative state, as follows:

up—The interface is not shut down.

admin down—The interface is shut down with the shutdown command.

Protocol

The line status, as follows:

up—A working cable is plugged into the network interface.

down—Either the cable is incorrect or not plugged into the interface connector.

Related Commands

Command

Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

interface

Configures an interface and enters interface configuration mode.

ip address

Sets the IP address for the interface or sets the management IP address for a transparent firewall.

nameif

Sets the interface name.

show interface

Displays the runtime status and statistics of interfaces.

show inventory

To display information about all of the Cisco products installed in the networking device that are assigned a product identifier (PID), version identifier (VID), and serial number (SN), use the show inventory command in user EXEC mode.

show inventory [ mod_id ]

Syntax Description

mod_id

(Optional) Specifies the module ID or slot number, 0-3.

Defaults

If you do not specify a slot to show inventory for an item, the inventory information of all modules (including the power supply) is displayed.

Command Modes

The following table shows the modes in which you can enter the command.

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

User EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

7.0(1)

This command was introduced.

8.4(2)

The output for an SSP was added. In addition, support for a dual SSP installation was added.

8.6(1)

The output for the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X (the chassis, redundant power supplies, and I/O expansion card) was added.

9.1(1)

The output for the ASA CX module was added.

Usage Guidelines

The show inventory command retrieves and displays inventory information about each Cisco product in the form of a UDI, which is a combination of three separate data elements: the product identifier (PID), the version identifier (VID), and the serial number (SN).

The PID is the name by which the product can be ordered; it has been historically called the “Product Name” or “Part Number.” This is the identifier that you use to order an exact replacement part.

The VID is the version of the product. Whenever a product has been revised, the VID is incremented according to a rigorous process derived from Telcordia GR-209-CORE, an industry guideline that governs product change notices.

The SN is the vendor-unique serialization of the product. Each manufactured product has a unique serial number assigned at the factory, which cannot be changed in the field. The serial number is the means by which to identify an individual, specific instance of a product. The serial number can be different lengths for the various components of the device.

The UDI refers to each product as an entity. Some entities, such as a chassis, have sub-entities like slots. Each entity appears on a separate line in a logically ordered presentation that is arranged hierarchically by Cisco entities.

Use the show inventory command without options to display a list of Cisco entities installed in the networking device that are assigned a PID.

If a Cisco entity is not assigned a PID, that entity is not retrieved or displayed.

Note When two SSPs are installed in the same chassis, the number of the module indicates the physical location of the module in the chassis. The chassis master is always the SSP installed in slot 0. Only those sensors with which the SSP is associated are displayed in the output.

The term module in the output is equivalent to physical slot. In the description of the SSP itself, the output includes module: 0 when it is installed in physical slot 0, and module: 1 otherwise. When the target SSP is the chassis master, the show inventory command output includes the power supplies and/or cooling fans. Otherwise, these components are omitted.

The serial number may not display because of hardware limitations on the ASA 5500-X series. For the UDI display of the PCI-E I/O (NIC) option cards in these models, there are six possible outputs according to the chassis type, although there are only two different card types. This is because there are different PCI-E bracket assemblies used according to the specified chassis. The following examples show the expected outputs for each PCI-E I/O card assembly. For example, if a Silicom SFP NIC card is detected, the UDI display is determined by the device on which it is installed. The VID and S/N values are N/A, because there is no electronic storage of these values.

Examples

The following is sample output from the show inventory command without any keywords or arguments. This sample output displays a list of Cisco entities installed in an ASA that are each assigned a PID, including a storage device used for an ASA CX module.

This command only shows removable modules. Thus, though show interface brief in ASA shows all the SFP interfaces in EPM, the show inventory command in ASA would only show data for interfaces that have an SFP plugged in. The following example shows the output of the show inventory command on SFP interface that is plugged in:

Physical name (text string) assigned to the Cisco entity. For example, console, SSP, or a simple component number (port or module number), such as “1,” depending on the physical component naming syntax of the device. Equivalent to the entPhysicalName MIB variable in RFC 2737.

DESCR

Physical description of the Cisco entity that characterizes the object. Equivalent to the entPhysicalDesc MIB variable in RFC 2737.

Syntax Description

(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

(Optional) Identifies the interface ID, such as gigabit ethernet0/1. See the interface command for accepted values.

subinterface

(Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface.

vlan number

(Optional) For models with a built-in switch, such as the ASA 5505 adaptive security appliance, specifies the VLAN interface.

Defaults

If you do not specify an interface, the ASA shows all interface IP addresses.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

—

Command History

Release

Modification

7.2(1)

Support for VLAN interfaces was added.

Usage Guidelines

This command shows the primary IP addresses (called “System” in the display) for when you configure high availability as well as the current IP addresses. If the unit is active, then the system and current IP addresses match. If the unit is standby, then the current IP addresses show the standby addresses.

Initial—The initialization state, where the ASA begins the process of acquiring a lease. This state is also shown when a lease ends or when a lease negotiation fails.

Selecting—The ASA is waiting to receive DHCPOFFER messages from one or more DHCP servers, so it can choose one.

Requesting—The ASA is waiting to hear back from the server to which it sent its request.

Purging—The ASA is removing the lease because the client has released the IP address or there was some other error.

Bound—The ASA has a valid lease and is operating normally.

Renewing—The ASA is trying to renew the lease. It regularly sends DHCPREQUEST messages to the current DHCP server, and waits for a reply.

Rebinding—The ASA failed to renew the lease with the original server, and now sends DHCPREQUEST messages until it gets a reply from any server or the lease ends.

Holddown—The ASA started the process to remove the lease.

Releasing—The ASA sends release messages to the server indicating that the IP address is no longer needed.

DHCP transaction id

A random number chosen by the client, used by the client and server to associate the request messages.

Lease

The length of time, specified by the DHCP server, that the interface can use this IP address.

Renewal

The length of time until the interface automatically attempts to renew this lease.

Rebind

The length of time until the ASA attempts to rebind to a DHCP server. Rebinding occurs if the ASA cannot communicate with the original DHCP server, and 87.5 percent of the lease time has expired. The ASA then attempts to contact any available DHCP server by broadcasting DHCP requests.

Temp default-gateway addr

The default gateway address supplied by the DHCP server.

Temp ip static route0

The default static route.

Next timer fires after

The number of seconds until the internal timer triggers.

Retry count

If the ASA is attempting to establish a lease, this field shows the number of times the ASA tried sending a DHCP message. For example, if the ASA is in the Selecting state, this value shows the number of times the ASA sent discover messages. If the ASA is in the Requesting state, this value shows the number of times the ASA sent request messages.

Client-ID

The client ID used in all communication with the server.

Proxy

Specifies if this interface is a proxy DHCP client for VPN clients, True or False.

Proxy Network

The requested network.

Hostname

The client hostname.

The following is sample output from the show ip address dhcp server command:

The DHCP server address from which this interface obtained a lease. The top entry (“ANY”) is the default server and is always present.

Leases

The number of leases obtained from the server. For an interface, the number of leases is typically 1. If the server is providing address for an interface that is running proxy for VPN, there will be several leases.

Offers

The number of offers from the server.

Requests

The number of requests sent to the server.

Acks

The number of acknowledgments received from the server.

Naks

The number of negative acknowledgments received from the server.

Declines

The number of declines received from the server.

Releases

The number of releases sent to the server.

Bad

The number of bad packets received from the server.

DNS0

The primary DNS server address obtained from the DHCP server.

DNS1

The secondary DNS server address obtained from the DHCP server.

WINS0

The primary WINS server address obtained from the DHCP server.

WINS1

The secondary WINS server address obtained from the DHCP server.

Subnet

The subnet address obtained from the DHCP server.

DNS Domain

The domain obtained from the DHCP server.

Related Commands

Command

Description

interface

Configures an interface and enters interface configuration mode.

ip address dhcp

Sets the interface to obtain an IP address from a DHCP server.

nameif

Sets the interface name.

show interface ip brief

Shows the interface IP address and status.

show ip address

Displays the IP addresses of interfaces.

show ip address pppoe

To view detailed information about the PPPoE connection, use the show ip address pppoe command in privileged EXEC mode.

Related Commands

Creates a named audit policy that identifies the actions to take when a packet matches an attack signature or an informational signature.

show running-config ip audit attack

Shows the configuration for the ip audit attack command.

show ip local pool

To display IPv4 address pool information, use the show ip local pool command in privileged EXEC mode.

show ip local pool interface pool_name

Syntax Description

pool_name

The name of the address pool. Enter ? to see a list of pools.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

—

Yes

—

—

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Use this command to view the contents of IPv4 address pools created using the ip local pool command. These pools are used with remote access VPN and clustering. Use the ipv6 local pool command to view IPv6 address pools.

Related Commands

Command

Description

ip local pool

Configures an IPv4 address pool.

show ip verify statistics

To show the number of packets dropped because of the Unicast RPF feature, use the show ip verify statistics command in privileged EXEC mode. Use the ip verify reverse-path command to enable Unicast RPF.

show ip verify statistics [interface interface_name ]

Syntax Description

interface interface_name

(Optional) Shows statistics for the specified interface.

Defaults

This command shows statistics for all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

—

Yes

Yes

—

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following is sample output from the show ip verify statistics command:

show ips

To show all available IPS virtual sensors that are configured on the AIP SSM, use the show ips command in privileged EXEC mode.

show ips [ detail ]

Syntax Description

detail

(Optional) Shows the sensor ID number as well as the name.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

Yes

Yes

Yes

Yes

Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

In multiple context mode, this command shows all virtual sensors when entered in the system execution space, but only shows the virtual sensors assigned to the context in the context execution space. See the allocate-ips command to assign virtual sensors to contexts.

Related Commands

Command

Description

allocate-ips

Assigns a virtual sensor to a security context.

ips

Diverts traffic to the AIP SSM.

show ipsec df-bit

To display the IPsec do-not-fragment (DF-bit) policy for IPsec packets for a specified interface, use the show ipsec df-bit command in global configuration mode and privileged EXEC mode. You can also use the command synonym show crypto ipsec df-bit.

show ipsec df-bit interface

Syntax Description

interface

Specifies an interface name.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

Yes

Yes

Yes

—

—

Privileged EXEC

Yes

Yes

Yes

—

—

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The df-bit setting determines how the system handles the do-not-fragment (DF) bit in the encapsulated header. The DF bit within the IP header determines whether or not a device is allowed to fragment a packet. Based on this setting, the system either clears, sets, or copies the DF-bit setting of the clear-text packet to the outer IPsec header when applying encryption.

Examples

The following example displays the IPsec DF-bit policy for interface named inside:

show crypto ipsec fragmentation

To display the fragmentation policy for IPsec packets, use the show ipsec fragmentation command in global configuration or privileged EXEC mode. You can also use the command synonym show crypto ipsec fragmentation.

show ipsec fragmentation interface

Syntax Description

interface

Specifies an interface name.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

Yes

Yes

Yes

—

—

Privileged EXEC

Yes

Yes

Yes

—

—

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

When encrypting packets for a VPN, the system compares the packet length with the MTU of the outbound interface. If encrypting the packet will exceed the MTU, the packet must be fragmented. This command shows whether the system will fragment the packet after encrypting it (after-encryption), or before encrypting it (before-encryption). Fragmenting the packet before encryption is also called prefragmentation, and is the default system behavior because it improves overall encryption performance.

Examples

The following example, entered in global configuration mode, displays the IPsec fragmentation policy for an interface named inside:

show ipsec policy

To display IPsec secure socket API (SS API) security policy configured for OSPFv3, use the show ipsec policy command in global configuration or privileged EXEC mode. You can also use the alternate form of this command: show crypto ipsec policy.

show ipsec policy

Syntax Description

This command has no keywords or variables.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

Yes

Yes

Yes

—

—

Privileged EXEC

Yes

Yes

Yes

—

—

Command History

Release

Modification

9.0(1)

This command was added.

Examples

The following example shows the OSPFv3 authentication and encryption policy.

Note Fragmentation statistics are pre-fragmentation statistics if the IPsec SA policy states that fragmentation occurs before IPsec processing. Post-fragmentation statistics appear if the SA policy states that fragmentation occurs after IPsec processing.

The following example, entered in global configuration mode, displays IPsec SAs for a crypto map named def.

show ipsec stats

To display a list of IPsec statistics, use the show ipsec stats command in global configuration mode or privileged EXEC mode.

show ipsec stats

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

Yes

Yes

Yes

Yes

—

Privileged EXEC

Yes

Yes

Yes

Yes

—

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

ESPv3 statistics are shown with IPsec subsystems, and support for multiple context mode was added.

Usage Guidelines

The following table describes what the output entries indicate.

Output

Description

IPsec Global Statistics

This section pertains to the total number of IPsec tunnels that the ASA supports.

Active tunnels

The number of IPsec tunnels that are currently connected.

Previous tunnels

The number of IPsec tunnels that have been connected, including the active ones.

Inbound

This section pertains to inbound encrypted traffic that is received through IPsec tunnels.

Bytes

The number of bytes of encrypted traffic that has been received.

Decompressed bytes

The number of bytes of encrypted traffic that were received after decompression was performed, if applicable. This counter should always be equal to the previous one if compression is not enabled.

Packets

The number of encrypted IPsec packets that were received.

Dropped packets

The number of encrypted IPsec packets that were received and dropped because of errors.

Replay failures

The number of anti-replay failure that were detected on received, encrypted IPsec packets.

Authentications

The number of successful authentications performed on received, encrypted IPsec packets.

Authentication failures

The number of authentications failure detected on received, encrypted IPsec packets.

Decryptions

The number of successful decryptions performed on received, encrypted IPsec packets.

Decryption failures

The number of decryptions failures detected on received, encrypted IPsec packets.

Decapsulated fragments needing reassembly

The number of decryption IPsec packets that include IP fragments to be reassembled.

Outbound

This section pertains to outbound cleartext traffic to be transmitted through IPsec traffic.

Bytes

The number of bytes of cleartext traffic to be encrypted and transmitted through IPsec tunnels.

Uncompressed bytes

The number of bytes of uncompressed cleartext traffic to be encrypted and transmitted through IPsec tunnels. The counter should always be equal to the previous one if compression is not enabled

Packets

The number of cleartext packets to be encrypted and transmitted through IPsec tunnels.

Dropped packets

The number of cleartext packets to be encrypted and transmitted through IPsec tunnels that have been dropped because of errors.

Authentications

The number of successful authentications performed on packets to be transmitted through IPsec tunnels.

Authentication failures

The number of authentication failures that were detected on packets to be transmitted through IPsec tunnels.

Encryptions

The number of successful encryptions that were performed on packets to be transmitted through IPsec tunnels.

Encryption failures

The number of encryption failures that were detected on packets to be transmitted through IPsec tunnels.

Fragmentation successes

The number of successful fragmentation operations that were performed as part of outbound IPsec packet transformation.

Pre-fragmentation successes

The number of successful prefragmentation operations that were performed as part of outbound IPsec packet transformation. Prefragmentation occurs before the cleartext packet is encrypted and encapsulated as one or more IPsec packets.

Post-fragmentation successes

The number of successful prefragmentation operations that were performed as part of outbound IPsec packet transformation. Post-fragmentation occurs after the cleartext packet is encrypted and encapsulated as an IPsec packet, which results in multiple IP fragments. These fragments must be reassembled before decryption.

Fragmentation failures

The number of fragmentation failures that have occurred during outbound IPsec packet transformation.

Pre-fragmentation failures

The number of prefragmentation failures that have occurred during outbound IPsec packet transformation. Prefragmentation occurs before the cleartext packet is encrypted and encapsulated as one or more IPsec packets.

Post-fragmentation failure

The number of post-fragmentation failure that have occurred during outbound IPsec packet transformation. Post-fragmentation occurs after the cleartext packet is encrypted and encapsulated as an IPsec packet, which results in multiple IP fragments. These fragments must be reassembled before decryption.

Fragments created

The number of fragments that were created as part of IPsec transformation.

PMTUs sent

The number of path MTU messages that were sent by the IPsec system. IPsec will send a PMTU message to an inside host that is sending packets that are too large to be transmitted through an IPsec tunnel after encapsulation. The PMTU message is a request for the host to lower its MTU and send smaller packets for transmission through the IPsec tunnel.

PMTUs recvd

The number of path MTU messages that were received by the IPsec system. IPsec will receive a path MTU message from a downstream network element if the packets it is sending through the tunnel are too large to traverse that network element. IPsec will usually lower its tunnel MTU when a path MTU message is received.

Protocol failures

The number of malformed IPsec packets that have been received.

Missing SA failures

The number of IPsec operations that have been requested for which the specified IPsec security association does not exist.

System capacity failures

The number of IPsec operations that cannot be completed because the capacity of the IPsec system is not high enough to support the data rate.